2009年ISACA 新增的官方习题（95道） .doc

2009 cisa practice question(new)questions:1、a benefit of open system architecture is that it:a、facilitates interoperability.b、facilitates the integration of proprietary components.c、will be a basis for volume discounts from equipment vendors.d、allows for the achievement of more economies of scale for equipment.answer: anote: open systems are those for which suppliers provide components whose interfacesare defined by public standards, thus facilitating interoperability between systemsmade by different vendors. in contrast, closed system components are built toproprietary standards so that other suppliers systems cannot or will not interfacewith existing systems.2、an is auditor discovers that developers have operator access to the command lineof a production environment operating system. which of the following controls wouldbest mitigate the risk of undetected and unauthorized program changes to theproduction environment?a、commands typed on the command line are loggedb、hash keys are calculated periodically for programs and matched against hashkeys calculated for the most recent authorized versions of the programsc、access to the operating system command line is granted through an accessrestriction tool with preapproved rightsd、software development tools and compilers have been removed from the productionenvironmentanswer: bnote: the matching of hash keys over time would allow detection of changes to files.choice a is incorrect because having a log is not a control, reviewing the log isa control. choice c is incorrect because the access was already grantedit does notmatter how. choice d is wrong because files can be copied to and from the productionenvironment.3 、in the context of effective information security governance, the primaryobjective of value delivery is to:a、optimize security investments in support of business objectives.b、implement a standard set of security practices.c、institute a standards-based solution.d、implement a continuous improvement culture.answer: anote: in the context of effective information security governance, value deliveryis implemented to ensure optimization of security investments in support of businessobjectives. the tools and techniques for implementing value delivery includeimplementation of a standard set of security practices, institutionalization andcommoditization of standards-based solutions, and implementation of a continuousimprovement culture considering security as a process, not an event.4、during a review of a business continuity plan, an is auditor noticed that the point at which a situation is declared to be a crisis has not been defined. the majorrisk associated with this is that:a、assessment of the situation may be delayed.b、execution of the disaster recovery plan could be impacted.c、notification of the teams might not occur.d、potential crisis recognition might be ineffective.answer: bnote: execution of the business continuity plan would be impacted if the organizationdoes not know when to declare a crisis. choices a, c and d are steps that must beperformed to know whether to declare a crisis. problem and severity assessment wouldprovide information necessary in declaring a disaster. once a potential crisis isrecognized, the teams responsible for crisis management need to be notified. delayingthis step until a disaster has been declared would negate the effect of having responseteams. potential crisis recognition is the first step in responding to a disaster.5 、when implementing an it governance framework in an organization the mostimportant objective is:a、it alignment with the business.b、accountability.c、value realization with it.d、enhancing the return on it investments.answer: anote: the goals of it governance are to improve it performance, to deliver optimumbusiness value and to ensure regulatory compliance. the key practice in support ofthese goals is the strategic alignment of it with the business (choice a). to achievealignment, all other choices need to be tied to business practices and strategies.6、when reviewing an implementation of a voip system over a corporate wan, an isauditor should expect to find:a、an integrated services digital network (isdn) data link.b、traffic engineering.c、wired equivalent privacy (wep) encryption of data.d、analog phone terminals.answer: bnote: to ensure that quality of service requirements are achieved, the voice-overip (voip) service over the wide area network (wan) should be protected from packetlosses, latency or jitter. to reach this objective, the network performance can bemanaged using statistical techniques such as traffic engineering. the standardbandwidth of an integrated services digital network (isdn) data link would not providethe quality of services required for corporate voip services. wep is an encryptionscheme related to wireless networking. the voip phones are usually connected to acorporate local area network (lan) and are not analog.7、an is auditor selects a server for a penetration test that will be carried outby a technical specialist. which of the following is most important?a、the tools used to conduct the testb、certifications held by the is auditor c、permission from the data owner of the serverd、an intrusion detection system (ids) is enabledanswer: cnote: the data owner should be informed of the risks associated with a penetrationtest, what types of tests are to be conducted and other relevant details. all otherchoices are not as important as the data owners responsibility for the security ofthe data assets.8、which of the following is a risk of cross-training?a、increases the dependence on one employeeb、does not assist in succession planningc、one employee may know all parts of a systemd、does not help in achieving a continuity of operationsanswer: cnote: when cross-training, it would be prudent to first assess the risk of any personknowing all parts of a system and what exposures this may cause. cross-training hasthe advantage of decreasing dependence on one employee and, hence, can be part ofsuccession planning. it also provides backup for personnel in the event of absencefor any reason and thereby facilitates the continuity of operations.9、the use of digital signatures:a、requires the use of a one-time password generator.b、provides encryption to a message.c、validates the source of a message.d、ensures message confidentiality.answer: cnote: the use of a digital signature verifies the identity of the sender, but doesnot encrypt the whole message, and hence is not enough to ensure confidentiality.a one-time password generator is an option, but is not a requirement for using digitalsignatures.10、a retail outlet has introduced radio frequency identification (rfid) tags tocreate unique serial numbers for all products. which of the following is the primaryconcern associated with this initiative?a、issues of privacyb、wavelength can be absorbed by the human bodyc、rfid tags may not be removabled、rfid eliminates line-of-sight readinganswer: anote: the purchaser of an item will not necessarily be aware of the presence of thetag. if a tagged item is paid for by credit card, it would be possible to tie theunique id of that item to the identity of the purchaser. privacy violations are asignificant concern because rfid can carry unique identifier numbers. if desired itwould be possible for a firm to track individuals who purchase an item containingan rfid. choices b and c are concerns of less importance. choice d is not a concern.11、a lower recovery time objective (rto) results in:a、higher disaster tolerance. b、higher cost.c、wider interruption windows.d、more permissive data loss.answer: bnote: a recovery time objective (rto) is based on the acceptable downtime in caseof a disruption of operations. the lower the rto, the higher the cost of recoverystrategies. the lower the disaster tolerance, the narrower the interruption windows,and the lesser the permissive data loss.12、during the requirements definition phase of a software development project,the aspects of software testing that should be addressed are developing:a、test data covering critical applications.b、detailed test plans.c、quality assurance test specifications.d、user acceptance testing specifications.answer: dnote: a key objective in any software development project is to ensure that thedeveloped software will meet the business objectives and the requirements of the user.the users should be involved in the requirements definition phase of a developmentproject and user acceptance test specification should be developed during this phase.the other choices are generally performed during the system testing phase.13、the best filter rule for protecting a network from being used as an amplifierin a denial of service (dos) attack is to deny all:a、outgoing traffic with ip source addresses external to the network.b、incoming traffic with discernible spoofed ip source addresses.c、incoming traffic with ip options set.d、incoming traffic to critical hosts.answer: anote: outgoing traffic with an ip source address different than the ip range in thenetwork is invalid. in most of the cases, it signals a dos attack originated by aninternal user or by a previously compromised internal machine; in both cases, applyingthis filter will stop the attack.14、what is the best backup strategy for a large database with data supporting onlinesales?a、weekly full backup with daily incremental backupb、daily full backupc、clustered serversd、mirrored hard disksanswer: anote: weekly full backup and daily incremental backup is the best backup strategy;it ensures the ability to recover the database and yet reduces the daily backup timerequirements. a full backup normally requires a couple of hours, and therefore itcan be impractical to conduct a full backup every day. clustered servers provide aredundant processing capability, but are not a backup. mirrored hard disks will nothelp in case of disaster. 15、which of the following is a feature of wi-fi protected access (wpa) in wirelessnetworks?a、session keys are dynamicb、private symmetric keys are usedc、keys are static and sharedd、source addresses are not encrypted or authenticatedanswer: anote: wpa uses dynamic session keys, achieving stronger encryption than wirelessencryption privacy (wep), which operates with static keys (same key is used foreveryone in the wireless network). all other choices are weaknesses of wep.16、the ultimate purpose of it governance is to:a、encourage optimal use of it.b、reduce it costs.c、decentralize it resources across the organization.d、centralize control of it.answer: anote: it governance is intended to specify the combination of decision rights andaccountability that is best for the enterprise. it is different for every enterprise.reducing it costs may not be the best it governance outcome for an enterprise.decentralizing it resources across the organization is not always desired, althoughit may be desired in a decentralized environment. centralizing control of it is notalways desired. an example of where it might be desired is an enterprise desiringa single point of customer contact.17、the main purpose of a transaction audit trail is to:a、reduce the use of storage media.b、determine accountability and responsibility for processed transactions.c、help an is auditor trace transactions.d、provide useful information for capacity planning.answer: bnote: enabling audit trails aids in establishing the accountability andresponsibility for processed transactions by tracing them through the informationsystem. enabling audit trails increases the use of disk space. a transaction log filewould be used to trace transactions, but would not aid in determining accountabilityand responsibility. the objective of capacity planning is the efficient and effectiveuse of it resources and requires information such as cpu utilization, bandwidth,number of users, etc.18、an is auditor invited to a development project meeting notes that no projectrisks have been documented. when the is auditor raises this issue, the project managerresponds that it is too early to identify risks and that, if risks do start impactingthe project, a risk manager will be hired. the appropriate response of the is auditorwould be to:a、stress the importance of spending time at this point in the project to considerand document risks, and to develop contingency plans.b、accept the project managers position as the project manager is accountable for the outcome of the project.c、offer to work with the risk manager when one is appointed.d、inform the project manager that the is auditor will conduct a review of therisks at the completion of the requirements definition phase of the project.answer: anote: the majority of project risks can typically be identified before a projectbegins, allowing mitigation/avoidance plans to be put in place to deal with theserisks. a project should have a clear link back to corporate strategy and tacticalplans to support this strategy. the process of setting corporate strategy, settingobjectives and developing tactical plans should include the consideration of risks.appointing a risk manager is a good practice but waiting until the project has beenimpacted by risks is misguided. risk management needs to be forward looking; allowingrisks to evolve into issues that adversely impact the project represents a failureof risk management. with or without a risk manager, persons within and outside ofthe project team need to be consulted and encouraged to comment when they believenew risks have emerged or risk priorities have changed. the is auditor has anobligation to the project sponsor and the organization to advise on appropriateproject management practices. waiting for the possible appointment of a risk managerrepresents an unnecessary and dangerous delay to implementing risk management.19、a data center has a badge-entry system. which of the following is most importantto protect the computing assets in the center?a、badge readers are installed in locations where tampering would be noticedb、the computer that controls the badge system is backed up frequentlyc、a process for promptly deactivating lost or stolen badges existsd、all badge entry attempts are loggedanswer: cnote: tampering with a badge reader cannot open the door, so this is irrelevant.logging the entry attempts may be of limited value. the biggest risk is fromunauthorized individuals who can enter the data center, whether they are employeesor not. thus, a process of deactivating lost or stolen badges is important.the configuration of the system does not change frequently, therefore frequent backupis not necessary.20、which of the following would impair the independence of a quality assuranceteam?a、ensuring compliance with development methodsb、checking the testing assumptionsc、correcting coding errors during the testing processd、checking the code to ensure proper documentationanswer: cnote: correction of code should not be a responsibility of the quality assurance teamas it would not ensure segregation of duties and would impair the teams independence.the other choices are valid quality assurance functions.21、which of the following is the best type of program for an organization toimplement to aggregate, correlate and store different log and event files, and then produce weekly and monthly reports for is auditors?a、a security information event management (siem) productb、an open-source correlation enginec、a log management toold、an extract, transform, load (etl) systemanswer: cnote: a log management tool is a product designed to aggregate events from many logfiles (with distinct formats and from different sources), store them and typicallycorrelate them offline to produce many reports (e.g., exception reports showingdifferent statistics including anomalies and suspicious activities), and to answertime-based queries (e.g., how many users have entered the system between 2 a.m. and4 a.m. over the past three weeks?). a siem product has some similar features. itcorrelates events from log files, but does it online and normally is not orientedto storing many weeks of historical information and producing audit reports. acorrelation engine is part of a siem product. it is oriented to making an onlinecorrelation of events. an extract, transform, load (etl) is part of a businessintelligence system, dedicated to extracting operational or production data,transforming that data and loading them to a central repository (data warehouse ordata mart); an etl does not correlate data or produce reports, and normally it doesnot have extractors to read log file formats.22、to ensure authentication, confidentiality and integrity of a message, the sendershould encrypt the hash of the message with the senders:a、public key and then encrypt the message with the receivers private key.b、private key and then encrypt the message with the receivers public key.c、public key and then encrypt the message with the receivers public key.d、private key and then encrypt the message with the receivers private key.answer: bnote: obtaining the hash of the message ensures integrity; signing the hash of themessage with the senders private key ensures the authenticity of the origin, andencrypting the resulting message with the receivers public key ensuresconfidentiality. the other choices are incorrect.23、an is auditor observes a weakness in the tape management system at a data centerin th